- SentinelOne uncovers new SHub macOS infostealer variant dubbed Reaper, spread via typosquatted WeChat and Miro domains
- The malware disguises itself with fake Apple and Google update components, establishing persistence and backdoor access
- Reaper targets browser credentials, crypto wallets, password managers, and sensitive documents, with signs of Russian‑speaking operators avoiding CIS systems
Cybersecurity researchers from SentinelOne have discovered a new variant of the notorious SHub macOS infostealer malware called ‘Reaper’.
In a new report SentinelOne said it observed typosquatted domains spoofing popular apps WeChat (a popular Chinese messaging and social media app) and Miro (an online visual collaboration and whiteboard platform).
Victims using macOS and looking to install these apps will trigger an infection chain that constantly changes its disguise to make the malware look legitimate at every stage of attack. After launching the script, it will display a fake update message referencing Apple’s XProtectRemediator security tool, and after infecting the system, it will establish persistence by creating files and folders designed to look like a genuine Google software update component.
Avoiding the Russians
It will store a backdoor in a fake “GoogleUpdate” directory and register a LaunchAgent named “com.google.keystone.agent.plist,” the researchers said.
The goal of the campaign is to steal credentials and sensitive files, as well as cryptocurrency wallets. While SentinelOne does not attribute the attack to any specific group or threat actor, it did say there were several hints suggesting the operators may be Russian speaking (or are, at least, trying to avoid targets in former Soviet states).
The malware checks whether the infected system uses Russian input sources and exits if it detects systems in the CIS (Commonwealth of Independent States) region. SentinelOne also said that when they tried to bypass the malware’s anti-analysis protection, a fake website displayed a Russian “Access Denied” message.
The Reaper variant primarily targets web browsers, cryptocurrency wallets, and applications that may contain financial or business-related data, stealing browser credentials, crypto wallet data, login keychains, Telegram session data, and documents from the Desktop and Documents folders.
It also searches for browser extensions linked to password managers such as 1Password, Bitwarden, and LastPass, along with cryptocurrency wallets like MetaMask and Phantom.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/o3U2t4BxoC8wMpEHpLqKMd-1920-80.jpg
Source link
